0

我们最近感染了 thumbs.db2 病毒,它创建了我们网络驱动器上所有 Word 和 Excel 文档的快捷方式并隐藏了真实文件。我已经能够编写代码来遍历所有文件夹并找到快捷方式并删除,但我需要能够取消隐藏我无法实现的隐藏文件。

我的代码在下面,写得很快,所以请善待:)

 public static IEnumerable<string> GetFiles(string root, string searchPattern)
    {
        Stack<string> pending = new Stack<string>();
        pending.Push(root);
        while (pending.Count != 0)
        {
            var path = pending.Pop();
            string[] next = null;
            try
            {
                next = Directory.GetFiles(path, searchPattern);
            }
            catch { }
            if (next != null && next.Length != 0)
                foreach (var file in next) yield return file;
            try
            {
                next = Directory.GetDirectories(path);
                foreach (var subdir in next) pending.Push(subdir);
            }
            catch { }
        }
    }
    static void Main()
    {
        string lines = "";
        string startFolder = @"S:\";

        // Take a snapshot of the file system.
        System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder);
        dir.GetDirectories("*.*");
        // This method assumes that the application has discovery permissions
        // for all folders under the specified path.
        IEnumerable<String> fileList = GetFiles(startFolder,"*.lnk");

        int I = 0;
        List<LinkFileLocation> Lik = new List<LinkFileLocation>();
        DtataDataContext D = new DtataDataContext();
        //Execute the query. This might write out a lot of files!
        foreach (string fi in fileList)
        {
            LinkFileLocation L = new LinkFileLocation();
           // Console.WriteLine(fi.FullName) ;
            WshShell shell = new WshShell();
            WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi);
            FileInfo F = new FileInfo(fi);
            var fs = F.GetAccessControl();

            var sid = fs.GetOwner(typeof(SecurityIdentifier));
            Console.WriteLine(sid); // SID
            try
            {
                var ntAccount = sid.Translate(typeof(NTAccount));
                Console.WriteLine(ntAccount); // DOMAIN\username
                L.UserCreated = ntAccount.Value.ToString();
            }
            catch {
                L.UserCreated = "Not Known";
            }

            L.CreationTime = F.CreationTime;
            if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe"))
            {



                L.Arguments = shortcut.Arguments;
                L.Description = shortcut.Description;
                L.FullName = shortcut.FullName;
                L.HotKey = shortcut.Hotkey;
                L.IconLocation = shortcut.IconLocation;
                Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine);
                lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine;
                I++;

            }
            D.LinkFileLocations.InsertOnSubmit(L);
            D.SubmitChanges();

        }

        // Compose a string that consists of three lines.


        // Write the string to a file.
        System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt");
        file.WriteLine(lines);
        file.Flush();
        file.Close();
        Console.WriteLine("Press any key to exit");
        Console.ReadKey();
    }

如何在c#中取消隐藏文件

任何帮助将不胜感激。

最诚挚的问候

4

6 回答 6

2

正如您在MSDN中看到的,从文件中删除隐藏属性很容易:

var attributes = File.GetAttributes(fi);
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
{
    attributes &= ~FileAttributes.Hidden;
    File.SetAttributes(fi, attributes);
}

但是,如果您无权执行此操作或有任何其他问题,请在您的问题中解释。

于 2012-08-16T09:05:44.367 回答
1

一个问题:

del /S *.xls.lnk

del /S *.doc.lnk

does the trick too. Also

attrib -H /S *.doc

attrib -H /S *.xls

该恶意软件还修改了现有的快捷方式以包含对 thumbs.db2 的调用。此方法还需要从备份中恢复以前存在的 .LNK 文件!

或者(正如我计划做的那样),使用上面的代码并添加对先前存在的 LNK 文件的检查 - 基于创建日期/时间和/或同一目录中不存在名称与 LNK 文件匹配的隐藏文件。

此外,对于那些仍然在等待任何 AV 公司解决此问题的人...用虚拟文件替换 thumbs.db2 并锁定 ntfs 权限似乎可以停止执行,而恶意软件不会更改为其他文件名,正如一些人提到的那样.

于 2012-08-17T07:29:16.160 回答
1 
System.IO.File.SetAttributes(<Filename>, IO.FileAttributes.Normal)

我认为应该这样做

于 2012-08-20T12:11:20.363 回答
0

请同时检查您的网络共享中其他 .lnk 文件的路径

该病毒的版本我们不仅创建了 .xls.lnk 文件和 doc.lnk 文件,它还更改了任何现有的 lnk 文件

于 2012-08-17T08:24:26.543 回答
0

整洁……但是

删除 /S *.xls.lnk

del /S *.doc.lnk

也可以。还

属性-H /S *.doc

属性-H /S *.xls

于 2012-08-16T17:08:35.960 回答
0

对于任何有同样问题的人,这是我们用来删除链接和取消隐藏文件的代码

using System;

使用 System.Collections.Generic;使用 System.Linq;使用 System.Text;使用 IWshRuntimeLibrary;使用 System.IO;使用 System.Security.Principal;

命名空间 HiddenFilesHow { 使用 Microsoft.Win32.SafeHandles; 类 FindFileByExtension {

    // This query will produce the full path for all .txt files
    // under the specified folder including subfolders.
    // It orders the list according to the file name.
    public static IEnumerable<string> GetFiles(string root, string searchPattern)
    {
        Stack<string> pending = new Stack<string>();
        pending.Push(root);
        while (pending.Count != 0)
        {
            var path = pending.Pop();
            string[] next = null;
            try
            {
                next = Directory.GetFiles(path, searchPattern);
            }
            catch { }
            if (next != null && next.Length != 0)
                foreach (var file in next) yield return file;
            try
            {
                next = Directory.GetDirectories(path);
                foreach (var subdir in next) pending.Push(subdir);
            }
            catch { }
        }
    }
    static void Main()
    {
        try
        {
            string lines = "";
            Console.WriteLine("Please enter folder location:- ");
            string startFolder = Console.ReadLine();
            Console.WriteLine("Begining Scan ");
            // Take a snapshot of the file system.
            System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder);
            dir.GetDirectories("*.*");
            // This method assumes that the application has discovery permissions
            // for all folders under the specified path.
            IEnumerable<String> fileList = GetFiles(startFolder, "*.lnk");

            int I = 0;
            //Execute the query. This might write out a lot of files!
            foreach (string fi in fileList)
            {
                // Console.WriteLine(fi.FullName) ;
                WshShell shell = new WshShell();
                WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi);
                FileInfo F = new FileInfo(fi);
                var fs = F.GetAccessControl();

                var sid = fs.GetOwner(typeof(SecurityIdentifier));
                // Console.WriteLine(sid); // SID
                try
                {
                    var ntAccount = sid.Translate(typeof(NTAccount));
                     Console.WriteLine(ntAccount); // DOMAIN\username
                }
                catch
                {
                }





                if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe"))
                {



                    // Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine);
                    lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine;
                    I++;
                    FileAttributes attributes = System.IO.File.GetAttributes(fi.Replace(".lnk", ""));
                    if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
                    {
                        try
                        {
                            // Show the file.
                            attributes = RemoveAttribute(attributes, FileAttributes.Hidden);
                            System.IO.File.SetAttributes(fi.Replace(".lnk", ""), attributes);
                            Console.WriteLine("The {0} file is no longer hidden.", fi.Replace(".lnk", ""));
                            if (fi.EndsWith(".lnk"))
                            {
                                System.IO.File.Delete(fi);
                                Console.WriteLine("The {0} file is no longer exists.", fi);
                            }else
                            Console.WriteLine("The {0} file not deleted --------.", fi);
                        }
                        catch { }
                    }
                }


            }

            // Compose a string that consists of three lines.


            // Write the string to a file.
            System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt");
            file.WriteLine(lines);
            file.Flush();
            file.Close();
            Console.WriteLine("Press any key to exit");
            Console.ReadKey();
        }
        catch (Exception e)
        {
            Console.WriteLine(e.Message);
            Console.WriteLine("Error");
            Console.ReadLine();
        }
    }
    private static FileAttributes RemoveAttribute(FileAttributes attributes, FileAttributes attributesToRemove)
    {
        return attributes & ~attributesToRemove;
    }
}

}

于 2012-08-16T09:56:11.650 回答